[Samba] Permission denied on GPT.ini (Event ID 1058)

Sébastien Le Ray sebastien-samba at orniz.org
Mon Mar 21 15:32:21 UTC 2016 

Hi

I did the same, checking "replace child folders permission" and set 
inheritance back (ntacl sysvolreset does not seem to do much things), no 
clue

In events viewer, right before the GPO failure I have a Kerberos 
warning: "The number of maximum ticket referrals has been exceeded 
(0xc00002f4)"

Le 21/03/2016 15:53, L.P.H. van Belle a écrit :
> Hai,
>
> Today i had a "about" same problem.
>
> Check the following.
>
> 1) Get the Policy id  ( like ":  {78732DBF-5381-497B-9B25-00A278270A1F} from
>   PATH_TO_SYSVOL_FOLDER/Policies/
> 2) run getfacl on the folder like :
>   getfacl \{78751DBF-5381-497B-9B25-00A278270A1F\}/
>
> here  in my case i noticed the following.
> I had a user set on one specific policie, i changed that users to a newly created group.
>
> After looking with getfacl i noticed, that the user was still on GPT.INI
> and not the group.
> Reculting in the Permission denied on GPT.ini.
>
> For now i fixed it by getting setting the inheritance of the folder to the files again.
>
> Resume what i think and others must test also.
>
> When creating the policy for the first time it sets the correct U+G rights.
> After changing this, not.
>
> Other quick fix is, add the computer($) to the group.
>
> I hope people know what i mean, if not, ask me.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sébastien Le Ray
>> Verzonden: maandag 21 maart 2016 10:45
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Permission denied on GPT.ini (Event ID 1058)
>>
>>
>>
>> Le 20/03/2016 17:03, Klaus Hartnegg a écrit :
>>>> Am 19.03.2016 um 08:16 schrieb Sébastien Le Ray <sebastien-
>> samba at orniz.org>:
>>>> Yes but in that case I'm not using the machine account anymore but the
>> currently logged in user account. That's why I guess it is related to some
>> machine account configuration issue but I can find no way to test machine
>> account access?
>>> psexec -i -s cmd.exe
>>> must be run as admin
>>> will open a new window
>>> try there:
>>> echo %username%
>>> looks like machine account
>> Hi,
>>
>> This gives me the machine account name which I already know.
>>
>> BUT I used pushd \\path\to\sysvol in the spawned cmd.exe and I
>> successfully mounted the supposedly unreadable share (tries all 5 DCs)
>> and type'd the GPT.ini
>>
>> If someone has any further investigation track, I'll take it
>>
>> Regards
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list